{"id":"CVE-2024-35911","summary":"ice: fix memory corruption bug with suspend and rebuild","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix memory corruption bug with suspend and rebuild\n\nThe ice driver would previously panic after suspend. This is caused\nfrom the driver *only* calling the ice_vsi_free_q_vectors() function by\nitself, when it is suspending. Since commit b3e7b3a6ee92 (\"ice: prevent\nNULL pointer deref during reload\") the driver has zeroed out\nnum_q_vectors, and only restored it in ice_vsi_cfg_def().\n\nThis further causes the ice_rebuild() function to allocate a zero length\nbuffer, after which num_q_vectors is updated, and then the new value of\nnum_q_vectors is used to index into the zero length buffer, which\ncorrupts memory.\n\nThe fix entails making sure all the code referencing num_q_vectors only\ndoes so after it has been reset via ice_vsi_cfg_def().\n\nI didn't perform a full bisect, but I was able to test against 6.1.77\nkernel and that ice driver works fine for suspend/resume with no panic,\nso sometime since then, this problem was introduced.\n\nAlso clean up an un-needed init of a local variable in the function\nbeing modified.\n\nPANIC from 6.8.0-rc1:\n\n[1026674.915596] PM: suspend exit\n[1026675.664697] ice 0000:17:00.1: PTP reset successful\n[1026675.664707] ice 0000:17:00.1: 2755 msecs passed between update to cached PHC time\n[1026675.667660] ice 0000:b1:00.0: PTP reset successful\n[1026675.675944] ice 0000:b1:00.0: 2832 msecs passed between update to cached PHC time\n[1026677.137733] ixgbe 0000:31:00.0 ens787: NIC Link is Up 1 Gbps, Flow Control: None\n[1026677.190201] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[1026677.192753] ice 0000:17:00.0: PTP reset successful\n[1026677.192764] ice 0000:17:00.0: 4548 msecs passed between update to cached PHC time\n[1026677.197928] #PF: supervisor read access in kernel mode\n[1026677.197933] #PF: error_code(0x0000) - not-present page\n[1026677.197937] PGD 1557a7067 P4D 0\n[1026677.212133] ice 0000:b1:00.1: PTP reset successful\n[1026677.212143] ice 0000:b1:00.1: 4344 msecs passed between update to cached PHC time\n[1026677.212575]\n[1026677.243142] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1026677.247918] CPU: 23 PID: 42790 Comm: kworker/23:0 Kdump: loaded Tainted: G        W          6.8.0-rc1+ #1\n[1026677.257989] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022\n[1026677.269367] Workqueue: ice ice_service_task [ice]\n[1026677.274592] RIP: 0010:ice_vsi_rebuild_set_coalesce+0x130/0x1e0 [ice]\n[1026677.281421] Code: 0f 84 3a ff ff ff 41 0f b7 74 ec 02 66 89 b0 22 02 00 00 81 e6 ff 1f 00 00 e8 ec fd ff ff e9 35 ff ff ff 48 8b 43 30 49 63 ed \u003c41\u003e 0f b7 34 24 41 83 c5 01 48 8b 3c e8 66 89 b7 aa 02 00 00 81 e6\n[1026677.300877] RSP: 0018:ff3be62a6399bcc0 EFLAGS: 00010202\n[1026677.306556] RAX: ff28691e28980828 RBX: ff28691e41099828 RCX: 0000000000188000\n[1026677.314148] RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff28691e41099828\n[1026677.321730] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n[1026677.329311] R10: 0000000000000007 R11: ffffffffffffffc0 R12: 0000000000000010\n[1026677.336896] R13: 0000000000000000 R14: 0000000000000000 R15: ff28691e0eaa81a0\n[1026677.344472] FS:  0000000000000000(0000) GS:ff28693cbffc0000(0000) knlGS:0000000000000000\n[1026677.353000] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1026677.359195] CR2: 0000000000000010 CR3: 0000000128df4001 CR4: 0000000000771ef0\n[1026677.366779] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[1026677.374369] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[1026677.381952] PKRU: 55555554\n[1026677.385116] Call Trace:\n[1026677.388023]  \u003cTASK\u003e\n[1026677.390589]  ? __die+0x20/0x70\n[1026677.394105]  ? page_fault_oops+0x82/0x160\n[1026677.398576]  ? do_user_addr_fault+0x65/0x6a0\n[1026677.403307]  ? exc_page_fault+0x6a/0x150\n[1026677.407694]  ? asm_exc_page_fault+0x22/0x30\n[1026677.412349]  ? ice_vsi_rebuild_set_coalesce+0x130/0x1e0 [ice]\n[1026677.4186\n---truncated---","modified":"2026-04-02T11:52:14.025417Z","published":"2024-05-19T08:35:04.299Z","related":["ALSA-2024:5363","SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20249-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35911.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/11ff8392943e08a35cb0aa19d638b02db745f170"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1cb7fdb1dfde1aab66780b4ba44dba6402172111"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e40a02f06ceb0e0b0183e0b973ac5dbf8f75edec"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35911.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35911"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b3e7b3a6ee92ab927f750a6b19615ce88ece808f"},{"fixed":"e40a02f06ceb0e0b0183e0b973ac5dbf8f75edec"},{"fixed":"11ff8392943e08a35cb0aa19d638b02db745f170"},{"fixed":"1cb7fdb1dfde1aab66780b4ba44dba6402172111"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35911.json"}}],"schema_version":"1.7.5"}